· 5 min read ·

Provenance Is a Stack, Not a Watermark: Reading OpenAI's C2PA and SynthID Bet

Source: openai

OpenAI announced a broader push around content provenance: signed Content Credentials on images and video out of Sora and DALL-E, Google’s SynthID watermarking applied to image output, and a hosted verification tool that lets anyone paste a file and inspect its origin. The framing is familiar by now. AI-generated media is hard to distinguish from camera output, elections and fraud cases keep surfacing synthetic media, and the platforms that produce the models would like to offer something better than vibes-based detection.

The interesting part is not the announcement. It is the stack underneath it, because provenance is not a single technique. It is at least three different things stapled together, each with its own threat model and failure mode.

Layer one: C2PA Content Credentials

The Content Credentials piece comes from the Coalition for Content Provenance and Authenticity, a joint effort between Adobe, Microsoft, the BBC, Intel, Sony, and others. The spec is public (C2PA 2.1 technical specification) and it is built on top of the older JUMBF container format that JPEG already uses for embedded metadata.

A C2PA manifest is a signed CBOR document attached to a media file. It records what the content is, what produced it, and what edits have happened to it. Each manifest is signed with an X.509 certificate chain rooted in a trust list. When you open a file in Adobe Photoshop or upload a Sora video to the verification tool, the reader walks the manifest store, verifies signatures, checks the certificate against the trust list, and computes a hard binding between the manifest and the bytes of the file (typically a SHA-256 hash of the pixel data plus relevant metadata boxes).

A minimal C2PA assertion looks something like this in JSON-LD form:

{
  "claim_generator": "OpenAI Sora/1.0",
  "assertions": [
    {
      "label": "c2pa.actions",
      "data": {
        "actions": [
          { "action": "c2pa.created", "digitalSourceType": "trainedAlgorithmicMedia" }
        ]
      }
    },
    {
      "label": "c2pa.hash.data",
      "data": { "alg": "sha256", "hash": "..." }
    }
  ],
  "signature": "..."
}

The digitalSourceType field comes from the IPTC digital source type vocabulary, and trainedAlgorithmicMedia is the value news organizations have standardized on for fully synthetic content. There is also compositeWithTrainedAlgorithmicMedia for hybrid cases.

The strength of C2PA is that it is an open standard with a real reference implementation (c2pa-rs, written in Rust, with bindings for Node, Python, and C). Anyone can write a verifier. Adobe’s Content Authenticity Initiative ships a browser extension that surfaces credentials on the open web. The weakness is also obvious: the manifest lives in the file. Strip the metadata, re-encode the JPEG, screenshot it, or pass it through any platform that normalizes uploads, and the manifest is gone. C2PA is a chain-of-custody system for files that stay intact, not a forensic signal that survives the internet.

Layer two: SynthID for the cases C2PA cannot cover

This is where SynthID comes in. SynthID is Google DeepMind’s watermarking system. The original 2023 image variant embeds an imperceptible signal in the pixel statistics of generated images. The text version, described in a 2024 Nature paper, modulates the sampling distribution at generation time by partitioning the vocabulary with a keyed pseudorandom function and biasing token selection toward one half of the partition. A detector with the same key can run a statistical test across the token stream and report a confidence score.

For images, SynthID is closer to traditional steganography but tuned with a learned encoder/decoder pair. The encoder is trained to embed a pattern that survives common transforms (JPEG re-encoding, mild cropping, brightness shifts, screenshot capture) while remaining invisible to humans. The decoder reads that pattern back. DeepMind has reported that the system handles billions of pieces of content across Google’s products.

The trade-off is real and well-studied. A 2023 paper from the University of Maryland showed that diffusion-based purification attacks degrade most pixel watermarks to near-random detector output, and a follow-up specifically targeted SynthID-style watermarks with regeneration attacks. The watermarks survive casual transforms; they do not survive an adversary who knows what they are doing. For text watermarks, paraphrasing through another LLM is generally enough to wash the signal out, as the original Kirchenbauer et al. paper acknowledges.

So SynthID is a probabilistic signal that survives normal sharing but not deliberate stripping. C2PA is a deterministic signal that survives no stripping but verifies provenance precisely when present. Stacking them is sensible. They fail in different directions.

Layer three: the verification tool, and why it matters

OpenAI is also putting up a hosted verifier. This is the piece that gets overlooked, and it is the most operationally important. C2PA has had readers for years (Adobe’s, the CAI verify tool, Microsoft’s in Bing), and SynthID had a public verifier launched in 2024. Adoption has been thin because journalists, fact-checkers, and ordinary users do not have a single place to drop a suspicious file and get a verdict that covers multiple watermarking schemes.

A unified verifier is a routing problem more than a cryptography problem. Given a file, you extract the C2PA manifest if present, run SynthID detectors keyed to each model family that might have produced it, fall back to model-specific perceptual signatures, and reconcile the results. The interesting engineering question is how to handle disagreement: a missing C2PA manifest combined with a positive SynthID hit means the file was generated and then stripped, which is itself a meaningful signal.

The part nobody is solving yet

Provenance for AI-generated content is the easy half. The harder half is provenance for camera-captured content, and that requires hardware. Leica’s M11-P was the first production camera to ship C2PA signing in-body using a secure element. Sony has followed, Nikon has demoed it on the Z9, and the Content Authenticity Initiative member list keeps growing. Until enough cameras sign their output and enough platforms preserve the manifests through their image pipelines, the asymmetry runs the wrong way. AI vendors mark their output, and unmarked content gets the benefit of the doubt. That is backwards for the long-term threat model, which is synthetic content masquerading as authentic capture.

The announcement from OpenAI matters mostly because it adds a major generator to the list of C2PA-emitting sources and pushes SynthID adoption beyond Google’s own properties. Both standards become more useful as more participants implement them, and the verifier becomes more useful as it learns to recognize more watermark variants. None of this is a solution to deepfake fraud or election misinformation. It is one layer in what needs to be a much taller stack, with hardware attestation at the bottom, transport-layer manifest preservation in the middle, and detection as a last resort.

Which is roughly what the C2PA threat model document has said from the start. The interesting work for the next two years is in the middle layer: getting Instagram, X, WhatsApp, and the rest to stop stripping manifests on upload. The cryptography is settled. The plumbing is not.

Was this interesting?